CCPA Business Practices for Handling Consumer Requests

CCPA Business Practices for Handling Consumer Requests

February 14, 2020 Off By administrator


We previously provided insights into this important portion of the CCPA regulations here.  In this installment, we address important revisions provided by the AG’s office to Article 3 of these regulations, several of which will have far-reaching implications. 

Below please find an overview of particularly relevant changes:

  • Businesses that only operate exclusively online and collect personal information from consumers with whom they have a direct relationship, will only be required to provide an email address for requests to know, as opposed to two or more methods, one of which had to be a toll-free phone number. 

  • Businesses are no longer required to use a two-step process for online requests to delete, consisting of the submission of the request and confirmation.  Instead, the two-step is optional. 

  • Businesses that cannot verify the consumer within 45 days of a request to know or delete may deny the request. 

  • Businesses no longer have the same responsibilities to search for personal information when responding to a request to know.  Businesses do not need to search for personal information that is not maintained in a searchable or reasonably accessible format, is only maintained for legal or compliance purposes and is not sold or used for a commercial purpose.  If each of these conditions is met, the business may instead describe to the consumer the categories of records that it did not search because these conditions were applied.

  • Businesses shall not disclose in response to a request to know unique biometric data generated from human characteristics. 

  • When responding to a request to know categories of personal information, businesses must now include additional information regarding the categories. 

  • When responding to requests to delete, businesses must now ask the consumer if they would like to opt-out of the sale of their personal information and provide the opt-out link or notice.  Businesses no longer have to treat all unverifiable requests to delete automatically as requests to opt-out. 

  • Service providers are restricted from processing personal information received from a business except to: (1) perform services in the contract with the business that provided the personal information, (2) engage a different service provider as a subcontractor, (3) use the data internally to build or improve the quality of its services; (4) protect against fraudulent or illegal activity and detect data security incidents or; (5) process in accordance with certain exemptions to the CCPA. Additionally, the requirement that service providers that receive requests to exercise rights directly from consumers instruct those consumers to submit their requests to the business has been eliminated.  Instead service providers are permitted but not required to respond directly.

Key Elements

§ 999.312…

(Excerpt) To read the full article , click here
Image credit: source